In computer security, business requirements for modern enterprise systems usually comprise a variety of dynamic constraints, such as constraints that limit the access of data to authorized users only. Particularly, in highly distributed systems, such as enterprise systems based on service oriented architecture paradigm, the time for evaluating access control constraints depends on the protocol between a central policy decision point and distributed policy enforcement points. In an example of a distributed enterprise system, various distributed policy enforcement points, which are embedded into different client applications, communicate with a centralized policy decision point. In this system, some attributes used for evaluations of access control requests are only accessible from the client applications. Accordingly, resolving attributes often require substantial network communication between the centralized policy decision point and the various distributed policy enforcement points.
One particular approach to resolving attributes is a trial and error approach where the centralized policy decision point requests the required attributes from the policy enforcement points in an iterative methodology. For example, if the evaluation of—an access control request requires a service attribute, the policy decision point returns the missing attribute message back to the client, including information about the missing attribute. As the policy decision point is usually stateless where it does not store the lat request, the initial request has to be resubmitted by the policy enforcement point with the requested attribute. However, if another service attribute is required, the policy decision point returns, once again, a missing attribute request to the policy enforcement point. This process is done repeatedly until all required attributes are resolved. Furthermore, the evaluation of access control requests is repeated every time the policy enforcement point submits a new request. This trial and error approach requires substantial network communication between the centralized policy decision point and the various distributed policy enforcement points, thereby possibly delaying the evaluation of access control requests.